side menu

Install and configure Istio Gateway

Istio Gateway is a Gateway-API-based component for managing incoming traffic to a Kubernetes cluster. It serves as the entry point to the system and allows for flexible routing of HTTP and HTTPS traffic.

 

This article will cover how to:

 

 

 

Install Istio Gateway API (optional)

 

This stage is only required if Istio Gateway is not already installed in your cluster. If you already have this component, you can skip this stage.

 

The installation consists of the following steps:

 

  1. Download the Helm chart and configuration file.
  2. Fill out the configuration file.
  3. Install the Istio Helm chart with Gateway API support.
  4. Create a GatewayClass.
  5. Create a TLS certificate.
  6. Create a Gateway.
  7. Configure an external IP address via MetalLB (optional).

 

Step 1: Download the Helm chart and configuration file

 

For online installation, get the values-istio.yaml configuration file by running the command:

helm repo add elma365 https://charts.elma365.tech
helm repo update
helm show values elma365/istio > values-istio.yaml

Get a configuration file for offline installation in a closed environment

  1. On a computer with internet access, download the BRIX images and upload them to the local image registry:

helm repo add elma365 https://charts.elma365.tech
helm repo update
helm pull elma365/istio

For more information, see Download BRIX images.

 

  1. Copy the resulting istio-X.Y.Z.tgz chart archive to the server where you will install it.
  2. Unzip this chart and copy the default values.yaml configuration file to the values-istio.yaml file:

 

tar -xf istio-X.Y.Z.tgz

 

Step 2: Fill out the configuration file

 

Fill out the values-istio.yaml configuration file to install the Istio service and enable Gateway API support:

global:
 gatewayAPI:
   enabled: true

Fill in the private registry connection parameters for offline installation in a closed environment

 
To connect to a private registry, you need to:

 

  1. Download the BRIX images and upload them to your local image registry. For more information, see Download BRIX images.
  2. Set the address and path for the global.hub parameter.
  3. In the global.imagePullSecrets parameter, specify the name of the secret with access rights to the private registry. The secret must be created manually and encoded in Base64.

 

# Istio settings
global:
...
# connection parameters for a private registry
# address and path for a private registry
hub: registry.example.com/istio
tag: 1.19.0
# secret with access permissions to a private registry must be created manually and Base64-encoded
imagePullSecrets:
 - myRegistryKeySecretName
...

Where the repository format is:

  • Address: registry.example.com.
  • Path: /istio.

 

Step 3: Install the Istio Helm chart with Gateway API support

 

Install the Istio chart in the istio-system namespace. The namespace will be created during installation if it hasn't already been created.

 

Depending on your installation method, follow these steps:

 

  • For online installation, use the command:

helm upgrade --install istio elma365/istio -f values-istio.yaml -n istio-system --create-namespace

  • To install without internet access, navigate to the directory with the downloaded chart and run the command:

helm upgrade --install istio ./istio -f values-istio.yaml -n istio-system --create-namespace

Step 4: Create a GatewayClass

 

The GatewayClass determines which controller will handle Gateway resources in the cluster.

 

Create a GatewayClass:

kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
 name: istio
spec:
 controllerName: istio.io/gateway-controller
EOF

Step 5: Create a TLS Certificate

 

To ensure HTTPS access, create a TLS certificate and add it to Kubernetes as a secret.

 

You can use one of the following options:

 

  • A self-signed certificate.
  • A certificate issued by a trusted certificate authority.

 

  1. To generate the certificate, use one of the following instructions:

 

  1. Add the created certificate to Kubernetes. To do this, create a TLS secret in the istio-system namespace using the received certificate file: .crt and key: .key. For this, use the following command:

kubectl create secret tls elma365-tls -n istio-system \
--cert=/etc/ssl/certs/selfsigned.crt \
--key=/etc/ssl/private/selfsigned.key

Where:

 

  • elma365-tls is the name of the secret to be used in the Gateway. The secret name must match the certificateRefs.name value in the Gateway resource.
  • --cert is the path to the certificate.
  • --key is the path to the private key.

 

Step 6: Create a Gateway

 

A Gateway defines the rules for processing incoming traffic in the cluster. It describes which ports and protocols, as well as which certificates are used for HTTPS.

 

Within Istio Gateway, a Gateway API resource is created and associated with the previously created GatewayClass.

 

Create the main Gateway:

kubectl apply -n istio-system -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
 name: main-gateway
spec:
 gatewayClassName: istio
 listeners:
 - name: http
   port: 80
   protocol: HTTP
   allowedRoutes:
     namespaces:
       from: All
 - name: https
   port: 443
   protocol: HTTPS
   tls:
     mode: Terminate
     certificateRefs:
     - name: elma365-tls
   allowedRoutes:
     namespaces:
       from: All
EOF

Where:

  • gatewayClassName. Specifies which controller the Gateway will handle.
  • listeners. A list of entry points:
    • port and protocol. HTTP or HTTPS.
    • tls.mode: Terminate. TLS termination on the Gateway side.
    • certificateRefs. A link to the previously created TLS secret.
  • allowedRoutes. Determines which namespaces are allowed to connect routes.

 

After creating the Gateway, you can connect routes (HTTPRoute) to publish services.

Step 7: Configure an external IP address via MetalLB (optional)

 

After creating the Gateway, you need to ensure external access to it. In Istio, each Gateway automatically creates a Kubernetes Service of the LoadBalancer type which handles incoming traffic.

 

  1. Check the Gateway service using the command:

kubectl get svc -n istio-system

If the EXTERNAL-IP column shows an IP address, external access is already configured. If the EXTERNAL-IP value is <pending> or <none>, the cluster does not have an external load balancer.

 

In cloud Kubernetes clusters, an external load balancer is created automatically, so no additional actions are required.

 

  1. In local or test environments (On-Premises / Single-node clusters), there is no external load balancer, so MetalLB can be used. It allows you to implement LoadBalancer behavior and assign an external IP to the Gateway.
     
    Install MetalLB:

kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.15.3/config/manifests/metallb-native.yaml

  1. Wait for the components to start:

kubectl get pods -n metallb-system -w

  1. Configure the IP address pool:

kubectl apply -f - <<EOF
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
 name: host-ip-pool
 namespace: metallb-system
spec:
 addresses:
 - 192.168.29.176-192.168.29.176
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
 name: host-ip-adv
 namespace: metallb-system
spec:
 ipAddressPools:
 - host-ip-pool
EOF

начало примечание

Note

 

192.168.29.176 is an example IP address of the host where Kubernetes is installed. In your cluster, use the actual IP address of the node, accessible to external traffic.

конец примечание

  1. Check the Gateway service:

kubectl get svc main-gateway-istio -n istio-system

The Gateway is ready to be used for routing BRIX traffic.

 

Configure BRIX to work with the Istio Gateway API

 

After installing the Istio Gateway, enable Gateway API support in BRIX configuration.

 

To do this, edit the values-elma365.yaml file used during installation. Add or modify the following parameters:

global:

 gatewayAPI:
   ## Enabling Gateway API (HTTPRoute)
   enabled: true
   parentRefs:
   - name: main-gateway
     namespace: istio-system
   envoyFilter:
     enabled: true
     namespace: istio-system
     workloadSelector:
       gateway.istio.io/managed: istio.io-gateway-controller

Where:

 

  • enabled. Enables the use of the Gateway API instead of Ingress.
  • parentRefs. Specifies the Gateway through which BRIX will be published.
  • envoyFilter. Includes the necessary settings for proper operation through Istio Gateway.

 

The parameters must match the previously created Gateway resource.

For a full description of all the parameters in the values-elma365.yaml configuration file, as well as steps for working with this file, see Modify BRIX Enterprise parameters.

 

install-ingress-nginx.html install-istio.html